wolfssl: patch CVE-2026-5446

Backport commits from the PR[1] mentioned in the nvd[2] [1]https://github.com/wolfSSL/wolfssl/pull/10111 [2]https://nvd.nist.gov/vuln/detail/CVE-2026-5446 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-04-30 23:46:44 +12:00
parent 8939b43735
commit f75da20d3e
3 changed files with 91 additions and 0 deletions
@@ -0,0 +1,62 @@
+From 6d6d06c05f84b190c43c9b75c6fa11375d2be424 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 31 Mar 2026 08:31:14 -0500
+Subject: [PATCH] Fix ARIA build issue and FIPS guard
+
+(cherry picked from commit 6495e8e94115f7f6beb67497e07bac5cba8dca9c)
+
+CVE: CVE-2026-5446
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/6495e8e94115f7f6beb67497e07bac5cba8dca9c]
+
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 992c10d2c..fbf227a93 100644
+--- a/src/internal.c
+++ b/src/internal.c
+@@ -19023,7 +19023,9 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ #if (!defined(NO_PUBLIC_GCM_SET_IV) && \
+     ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
+     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))) || \
+-    (defined(HAVE_POLY1305) && defined(HAVE_CHACHA))
+    (defined(HAVE_POLY1305) && defined(HAVE_CHACHA)) || \
+    defined(HAVE_ARIA) || \
+    defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)
+ static WC_INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
+ {
+     int i;
+@@ -20006,10 +20008,9 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+                 sizeof(ssl->encrypt.sanityCheck));
+         #endif
+ 
+-        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) || defined(HAVE_ARIA)
+        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
+             if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
+-                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm ||
+-                ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
+                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
+             {
+                 /* finalize authentication cipher */
+ #if !defined(NO_PUBLIC_GCM_SET_IV) && \
+@@ -20020,7 +20021,17 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+                 if (ssl->encrypt.nonce)
+                     ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
+             }
+-        #endif /* BUILD_AESGCM || HAVE_AESCCM || HAVE_ARIA */
+        #endif /* BUILD_AESGCM || HAVE_AESCCM */
+        #ifdef HAVE_ARIA
+            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
+            {
+                /* finalize authentication cipher — wc_AriaEncrypt is
+                 * stateless, so the explicit IV must always advance */
+                AeadIncrementExpIV(ssl);
+                if (ssl->encrypt.nonce)
+                    ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
+            }
+        #endif /* HAVE_ARIA */
+         #if defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)
+             if (ssl->specs.bulk_cipher_algorithm == wolfssl_sm4_ccm ||
+                 ssl->specs.bulk_cipher_algorithm == wolfssl_sm4_gcm)
@@ -0,0 +1,27 @@
+From 88fc52b8e3bca58389a4a107a77f9dc52e3baa12 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 31 Mar 2026 09:35:43 -0500
+Subject: [PATCH] Fix feedback from review
+
+(cherry picked from commit a3fad2af91da39e2a4bdaf528bcfb2a94c4dd67c)
+
+CVE: CVE-2026-5446
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/a3fad2af91da39e2a4bdaf528bcfb2a94c4dd67c]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index fbf227a93..ccfecc235 100644
+--- a/src/internal.c
+++ b/src/internal.c
+@@ -20025,7 +20025,7 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+         #ifdef HAVE_ARIA
+             if (ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
+             {
+-                /* finalize authentication cipher — wc_AriaEncrypt is
+                /* finalize authentication cipher -- wc_AriaEncrypt is
+                  * stateless, so the explicit IV must always advance */
+                 AeadIncrementExpIV(ssl);
+                 if (ssl->encrypt.nonce)
@@ -41,6 +41,8 @@ SRC_URI = " \
    file://CVE-2026-3580.patch \
    file://CVE-2026-5188.patch \
    file://CVE-2026-5392.patch \
+    file://CVE-2026-5446-1.patch \
+    file://CVE-2026-5446-2.patch \
 "

 SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"